Anonymously accessible REST endpoints return 200 OK with  invalid user credentials

XMLWordPrintable

    • Minor

      Issue Summary

      This is reproducible on Data Center: (no)
      Anonymously accessible REST endpoints allow invalid user credentials to be used.

      According to documentation, 401 Unauthorized should be returned for any unauthenticated requests.

      Returned if the authentication credentials are incorrect or missing.

      However, if we pass invalid credentials, we get 200 OK response.

      curl -I --user foo:bar 'https://sitename.atlassian.net/rest/api/2/field'
HTTP/2 200 
content-type: application/json;charset=UTF-8

      This is counterintuitive and doesn't match the documentation.

      Some APIs that are not anonymous accessible:
      /rest/api/3/mypermissions
      /rest/api/3/project/search
      /rest/api/3/issue/bulkfetch
      /rest/api/3/issue/field

      Steps to Reproduce

      1. make a request to an anonymous accessible REST endpoint with invalid credentials

      Expected Results

      401 Unauthorized should be returned. According to documentation, when credentials are incorrect.

      Actual Results

      200 OK response is returned.

      Workaround

      Invalid credentials are treated as anonymous access. So, creadentials should be validated with an API endpoint that is not anonymous accessible. For example, /rest/api/2/myself.

            Assignee:
            Unassigned
            Reporter:
            Nashid Farhad
            Votes:
            5 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: